PatchSiren cyber security CVE debrief
CVE-2026-25196 Copeland CVE debrief
CVE-2026-25196 is an OS command injection vulnerability in Copeland XWEB Pro version 1.12.1 and earlier. CISA’s advisory published on 2026-02-26 says an authenticated attacker can inject malicious input into the Wi‑Fi SSID and/or password fields and trigger remote code execution when the configuration is processed. The issue is rated CVSS 8.0 (HIGH) and is most important for OT/industrial environments running affected XWEB Pro devices.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Administrators and operators of Copeland XWEB Pro systems, especially those managing XWEB 300D PRO, XWEB 500D PRO, or XWEB 500B PRO devices. Incident responders and OT security teams should also care because exploitation requires authenticated access with high privileges but can result in remote code execution on the device.
Technical summary
CISA’s CSAF advisory describes an OS command injection issue affecting XWEB Pro version 1.12.1 and prior. The attack path is through malicious input supplied to the Wi‑Fi SSID and/or password fields; when the configuration is processed, injected commands may execute on the system. The supplied CVSS v3.1 vector is AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, which indicates network exposure, high privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
Defensive priority
High. Prioritize rapid remediation in any exposed or operationally critical deployment because the flaw can lead to remote code execution on an OT device, even though exploitation requires authenticated access with high privileges.
Recommended defensive actions
- Update XWEB Pro to the latest version using Copeland’s software update page for the affected model.
- If the device is internet-connected and you are already logged in, use SYSTEM -- Updates | Network to update directly from Copeland servers.
- Verify which deployed devices are in scope and include XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO in your patch inventory.
- Restrict and review privileged access to XWEB Pro administration interfaces while remediation is in progress.
- Monitor for unexpected configuration changes or other signs of unauthorized administrative activity on affected devices.
Evidence notes
All core findings in this debrief come from the supplied CISA CSAF advisory source for ICSA-26-057-10 and its referenced remediation guidance. The source states the affected versions, the Wi‑Fi SSID/password injection path, the remote code execution impact, and Copeland’s update guidance. Timeline fields in the supplied data show initial publication and modification on 2026-02-26; no KEV entry or ransomware campaign use was provided in the source corpus.
Official resources
-
CVE-2026-25196 CVE record
CVE.org
-
CVE-2026-25196 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-057-10 on 2026-02-26. The supplied data indicates initial publication on that date and does not include a KEV listing.